sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat() (66081a72) · Commits · 戴 / test

The warning check for duplicate sysfs entries can cause a buffer overflow when printing the warning, as strcat() doesn't check buffer sizes. Use strlcat() instead. Since strlcat() doesn't return a pointer to the passed buffer, unlike strcat(), I had to convert the nested concatenation in sysfs_add_one() to an admittedly more obscure comma operator construct, to avoid emitting code for the concatenation if CONFIG_BUG is disabled. Signed-off-by:

Geert Uytterhoeven <geert@linux-m68k.org> Cc: stable@vger.kernel.org Signed-off-by:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/sysfs/dir.c

+8 −8

Original line number	Diff line number	Diff line
		@@ -485,20 +485,18 @@ int __sysfs_add_one(struct sysfs_addrm_cxt acxt, struct sysfs_dirent sd)
		/**
		* sysfs_pathname - return full path to sysfs dirent
		* @sd: sysfs_dirent whose path we want
		* @path: caller allocated buffer
		* @path: caller allocated buffer of size PATH_MAX
		*
		* Gives the name "/" to the sysfs_root entry; any path returned
		* is relative to wherever sysfs is mounted.
		*
		* XXX: does no error checking on @path size
		*/
		static char sysfs_pathname(struct sysfs_dirent sd, char *path)
		{
		if (sd->s_parent) {
		sysfs_pathname(sd->s_parent, path);
		strcat(path, "/");
		strlcat(path, "/", PATH_MAX);
		}
		strcat(path, sd->s_name);
		strlcat(path, sd->s_name, PATH_MAX);
		return path;
		}

		@@ -531,9 +529,11 @@ int sysfs_add_one(struct sysfs_addrm_cxt acxt, struct sysfs_dirent sd)
		char *path = kzalloc(PATH_MAX, GFP_KERNEL);
		WARN(1, KERN_WARNING
		"sysfs: cannot create duplicate filename '%s'\n",
		(path == NULL) ? sd->s_name :
		strcat(strcat(sysfs_pathname(acxt->parent_sd, path), "/"),
		sd->s_name));
		(path == NULL) ? sd->s_name
		: (sysfs_pathname(acxt->parent_sd, path),
		strlcat(path, "/", PATH_MAX),
		strlcat(path, sd->s_name, PATH_MAX),
		path));
		kfree(path);
		}

Admin message